Behind the Canvas Hack and Instructure Ransom Payment

Tech giant Instructure has paid a ransom to ShinyHunters following the breach of Canvas – its educational software platform. 

The threat group hacked the system twice within a two-week period, and the breaches disrupted thousands of institutions across the US, Canada, Australia and the UK. Studies were affected, exams were postponed and student data was stolen.

According to ShinyHunters, the group stole over 3.5 terabytes of data. This includes personal identifying information such as names, email addresses, student ID numbers and messages between teachers and students.

Instructure says the hackers agreed to return the data, prove they destroyed their copies and promise not to contact customers for money.

Instructure explains the payment

Instructure published its reasoning on the incident update page. The company says it understands how unsettling situations like this can be and protecting the community remains its top priority.

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” Instructure says.

“With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident,” the company adds.

The amount paid has not been made public.

Timeline of the breach

On 29 April 2025, Instructure says it detected unauthorised activity in Canvas. The company moved to revoke third-party access.

Instructure then opened an investigation involving outside forensic experts.

On 7 May 2025, the Canvas login page displayed a message from ShinyHunters. “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches’,” the message read.

The gang mandated a deadline of 12 May 2026 before “everything is leaked”.

Free-For-Teacher accounts exploited

Instructure attributes the second breach to be tied to the previous incident, following which Canvas was taken offline as a precaution.

“Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate and apply additional safeguards,” Instructure updated.

“We have since confirmed that the unauthorised actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company revealed.

“This is the same issue that led to the unauthorised access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts.”

The company has since confirmed it has reached an agreement with the hackers.

CEO issues apology statement

The incident update page on Instructure now carries a message from Steve Daly, CEO of Instructure. Daly has extended an apology for the incident.

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us and we didn’t deliver it. I’m sorry for that,” Steve says.

Paying ransom goes against general regulatory consensus, as it could promote the business model of extortion groups.

The factor of trust is also a concern. Hackers can and have lied about destroying data, while keeping it even after payments were made.

Trust lost has also affected Instructure: “Rebuilding trust takes time. We’re going to earn it back through consistent action and honest communication. We’re in this for you and your community,” Steve adds.

Industry response to payment

Instructure acknowledged uncertainty when dealing with cybercriminals, saying that the company reserved its decision as an effort to give customers peace of mind.

“It is not surprising to learn that despite regulatory pressure, security and risk leaders remain open to paying a ransom to recover their systems and protect data when considering that prolonged downtime can lead to unsustainable losses,” says Christy Wyatt, President and CEO at Absolute Security.

“CISOs who build systems that can quickly restore continuity after disruptive attacks can avoid getting trapped in a cycle which will only grow alongside cybercriminals’ increasing use of AI-powered attacks,” Wyatt adds.